Re: rewrite a login into a dn in simple bind

[Dieter Kluenter <dieter@dkluenter.de>]

Hi Quanah,

Quanah Gibson-Mount <quanah@stanford.edu> writes:

> --On Thursday, October 09, 2003 2:00 PM -0400 Ace Suares
> <ace@suares.nl> wrote:
>
>> A way out could be to make a separate tree (or an entirely separate
>> database)  where you store the dn and the uid, and since you control that
>> database, you  can give access to it by anonymous, to find the dn, and
>> then bind to the  'real' database with the found dn and the password.
>> Obviously, keeping the second database in sync with the main database
>> will be  a pain. It could be done, but it seems there are various
>> obstacles in your  way.
>
> One solution to this, would be if OpenLDAP would allow you to populate
> only portions of a tree.  That currently isn't possible in 2.1.  It
> is, however, possible in 2.2 if you use syncRepl instead of slurpd.
> Since the slave drives the update process, and can only update what it
> is allowed to access on the master, you can make different replicas
> contain different amounts of data -- in essence, you could have a
> replica that contained only the dn and uid (plus the required
> operational attributes).

That is possible in 2.1
Just an example slapd.conf

##########################
## subordinate database ##
##########################
database        bdb
suffix    "ou=addressbook,o=myCompany"
rootdn    "cn=admin,o=myCompany"
directory /usr/local/var/openldap-data
subordinate
replogfile /usr/local/var/openldap-slurp/slapd.replog
replica host=ldap2.mycompany.com
        binddn=xxxxxx
        bindmethod=xxxxxx
##########################
## superior database    ##
##########################
database        bdb
suffix  "o=myCompany"
rootdn  "cn=admin,o=myCompany"
rootpw  {SSHA}xxxxxxxx
directory /var/openldap-data


-Dieter

PS
IOU a script, shame on me :-(
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de